This hands-on workshop is designed to give cybersecurity professionals, malware researchers, and detection engineers a rare opportunity to explore how modern Endpoint Detection and Response (EDR) solutions truly work, and how to both research and build them from the ground up.
Overview
Syllabus
- EDR Foundations & Architectural Principles
- EDR vs. EPP / Antivirus
- EDR Architecture
- EDR Detection Techniques
- Static Engine
- Dynamic Engine
- Heuristic Engine
- Reverse-Engineering the Defenses: Hands-On EDR Research Lab
- Research Methodology & Tips
- Deploying an EDR Research Lab (Provided OVA)
- Lead Gathering
- Checking the Exclusions List
- Testing EDR Self-Protection Mechanisms
- Process Tokens & File Permissions
- EDR Persistence Mechanisms
- Reverse Engineering an EDR Component
- Offensive Tradecraft: Modern EDR Bypass & Evasion Techniques
- FUD Malware vs. Targeted EDR Bypass
- Rename Obfuscation
- Control-Flow Obfuscation
- IAT & API Hashing
- Strings Encryption
- Process Injection
- Timestomping
- Memory Bombing
- Designing the Core: Building User- and Kernel-Mode EDR Components
- EDR Component Design
- API and Syscall Hooking
- Leveraging ETW (Event Tracing for Windows)
- User & Kernel Mode Components
- Kernel Driver Engineering for Endpoint Visibility & Control
- Process and Thread Callbacks
- Registry Callbacks
- Other Callback Mechanisms
- File System Minifilters
- Additional Techniques
- User-Kernel Communication
- Detection Engineering: Implementing High-Fidelity Threat Analytics
- Remote Thread Injection Detection
- Ransomware Detection
- Real-World Detection Implementation Lab
Taught by
Pavel Yosifovich, and Uriel Kosayev
Related Courses
-
Endpoint Detection and Response Essentials
-
EDR Bypass - From Zero to Success
-
Microsoft Defender for Endpoint
-
Unpacking the Unstoppable - How Loaders Continue to Outwit AI, EDR, and Sandboxes
-
Evading AV and EDR Entropy Checks - A Guide to Payload Detection Evasion
-
AI-Powered EDR: Streamlining Blackberry Cybersecurity with Databricks
